For example, in network communications, electronic transactions, and other data processing fields, ensuring security is a critical issue. Cryptography technology is a method for ensuring security, and cryptographic processes are used in various fields.
Systems in which a cryptographic processing module is embedded in a compact device such as, for example, an IC card so that data is sent and received between the IC card and a reader/writer serving as a data read/write device to perform an authentication process or encryption and decryption of data to be sent and data received have been put into practical use.
There are various cryptographic processing algorithms. The algorithms are roughly classified into public-key cryptography in which encryption and decryption keys are set as different keys, for example, a public key and a secret key, and common-key cryptography in which both an encryption key and a decryption key are set as a common key.
There are various algorithms in the common-key cryptography. One of the algorithms is a method in which a plurality of keys are generated based on a common key and a data transformation process is repeatedly executed in units of blocks (64 bits, 128, 256 bits, and the like) using the plurality of generated keys. A typical algorithm with such a key generation method and data transformation process applied is common-key block cipher cryptography.
As typical common-key block cipher algorithms, the DES (Data Encryption Standard) algorithm, which was then the U.S. standard cryptography, and the AES (Advanced Encryption Standard) algorithm, which is now the U.S. standard, have been known.
Such common-key block cipher algorithms are mainly constituted by a cryptographic processing part having round-function executing parts for repeatedly executing transformation of input data, and a key scheduling part for generating round keys applied in individual rounds of the round-function parts. The key scheduling part first generates an expanded key with an increased number of bits on the basis of a master key (primary key) serving as a secret key, and generates a round key (sub-key) to be applied in each round-function part of the cryptographic processing part on the basis of the generated expanded key.
As a specific structure for executing such algorithms, a structure having linear transformation parts and non-linear transformation parts for repeatedly executing round functions has been known. For example, a typical structure is a Feistel structure. The Feistel structure is a structure for transforming plaintext into ciphertext by using simple iterations of a round function (F-function) serving as a data transformation function. In a round function (F-function), a linear transformation process and a non-linear transformation process are executed. Note that, for example, Non-Patent Documents 1 and 2 are documents which describe cryptographic processes in which the Feistel structure is applied.
However, a problem with such a common-key block cipher process is key leakage due to cryptanalysis. The problem of being easy to break keys by cryptanalysis leads to low security of the cryptographic process, and is serious in practice.    Non-Patent Document 1: K. Nyberg, “Generalized Feistel networks”, ASIACRYPT'96, SpringerVerlag, 1996, pp. 91-104.    Non-Patent Document 2: Yuliang Zheng, Tsutomu Matsumoto, Hideki Imai: On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses. CRYPTO 1989: 461-480